Google Chrome’s winning streak fades at annual hacking contest

After emerging unscathed for three years in a row at the Pwn2Own hacker …

As day one of the annual Pwn2Own hacker contest wound down on Wednesday, no browser suffered more abuse than Google Chrome, which was felled by an attack exploiting a previously unknown vulnerability in the most up-to-date version. Combined with a separate contest Google sponsored a few feet away, it was the second zero-day attack visited on Chrome in a span of a few hours.

It was a rare event. To date, there are no known reports of a zero-day attack ever hitting Chrome in the wild, and at the previous three years' contests, Chrome escaped unscathed, even as Internet Explorer, Firefox, and Safari were brought down by exploits that allowed the attackers to take complete control of the machine running the software. The chief reason: Chrome's security sandbox—which isolates web content inside a highly restricted perimeter that's separated from the rest of the operating system—makes it harder to write reliable attacks.

"We pwned Chrome to make things clear to everyone," said Chaouki Bekrar, CEO of Vupen Security, which wielded the Chrome zero-day an hour or so after the contest began on Wednesday. "We wanted to show that even Chrome is not unbreakable."

A contestant in the second contest, which Google has dubbed "Pwnium," was also able to bypass the Chrome sandbox so he could execute any code of his choosing on the underlying machine. Sergey Glazunov wasn't on site to discuss the hack. Google has said only that for him to win the top $60,000 reward, his exploit was required to bypass the sandbox using code native to Chrome.

Bekrar told Ars that his team's attack exploited what's known as a use-after-free bug to bypass DEP, or data execution prevention, and ASLR, or address space layout randomization. Both mitigations are designed to prevent hackers from executing malicious code even when they locate vulnerabilities. He said it exploited a second vulnerability that allows code to break out of the sandbox. He declined to detail the vulnerable component, except to say it was found in the "default" installation of the Google browser.

That detail led several observers to speculate that an Adobe Flash plugin was the means Vupen used to access more sensitive parts of the operating system. While Chrome runs the media player add-on in its own sandbox, the perimeter is considerably more porous than it is with other components, security researchers say. Core functionality in Flash, for instance, requires the app be able to control web cams and microphones, access system state, and connect to display monitors and other connected devices.

Now in its sixth year at the CanSecWest security conference in Vancouver, the contest rules this time around have been significantly reworked. In the past, organizer Tipping Point paid as much as $15,000 to the first person who exploited a fully patched version of each targeted software. Competitors on Wednesday scored 32 points for zero-day vulnerabilities, and they received 10 points each for exploiting already patched security flaws.

The new rules require nimbleness on the part of contestants because they learned which six patched flaws were eligible only as the competition got underway. Tipping Point gave them a virtual machine containing only a trigger that caused each browser to crash. It was then up to the hackers to use debuggers, disassemblers and other tools to isolate the cause of the crash and to engineer an exploit that allowed them to remotely execute code.

"It's really challenging because you don't only need to show you can create sophisticated exploits but you also have to show that you can create exploits very quickly," Bekrar said. "Our team creates exploits every day, every year, so for us it was a nice challenge."

So far, his team has exploited three of the six eligible vulnerabilities. It took 20 minutes to develop an attack for version 8 of IE running on Windows XP, an hour to write one that pwned Safari 5 on OS X Snow Leopard, and two hours for one that compromised Firefox 3 on Windows XP. That left Vupen with 62 points as day one was winding down. A separate contestant that had entered had no points, but it was still possible for members to submit entries until midnight. The contestants will also have a shot at the same vulnerabilities on Thursday and Friday, although the points scored diminish over time.

Vupen plans to exploit the remaining patched vulnerabilities on Thursday. But Bekrar, who said his team spent six months developing multiple zero-days for all four of the eligible browsers, said people shouldn't be surprised if Vupen drops another one in the coming day.

"I think tomorrow we will go for another browser, just for fun," he said.

Bekrar told Ars that his team's attack exploited what's known as a use-after-free bug to bypass DEP, or data execution prevention, and ASLR, or address space layout randomization.

What does that mean?

I'm guessing use-after-free means that he accessed memory that was supposed to be freed by the operating system but hadn't yet been cleared, and ASLR is about randomizing where in memory (relative to other parts of memory) data and code will be loaded. If you don't randomize the address space, an attacker could potentially run certain parts of the code repeatedly to figure out where certain bits of code are located, and use that information in conjunction with other exploits.

ASLR is just a way of putting certain snippets of information in randomized places in memory when it's executed or loaded into memory for some other reason. This makes it hard for attacking programs to find the data they need to attack, so they're just as likely to modify something else and crash the program, which is way better in the eyes of the developer.

Use after free is where the program allocates some memory for something (e.g. storing the downloaded HTML text), releases (frees) that memory, then attempts to access that memory which now belongs to the Operating System.

Data Execution Prevention (DEP) is where allocated memory that is marked as data (instead of being executable code) is not allowed to be run as code on the machine. This means that JIT compilers found in modern JavaScript engines that convert the JavaScript to native code need to explicitly mark the memory they are writing the native code to as being executable.

Address Space Layout Randomization (ALSR) makes it harder for attackers to use fixed addresses to jump to in order to call system methods by randomizing the location where the system code (DLLs or shared objects) is loaded.

These protection mechanisms make it harder for an attacker, but not impossible (JIT code is still executable, for example). They also work better when used in combination (a layered defense -- similar to a castle's defenses).

"Vupen co-founder Chaoki Bekrar told ZDNet that "the Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox." "

So even though they cracked it, they gave pops where it was due. It doesn't hide the fact that Chrome was cracked b/c every Chrome install comes with Flash installed even if it is sandboxed by Chrome.

It just takes down the hubris Google engineers and fanboy had about Chrome's supposedly invincible sandbox architecture. It might be better than the others, but it doesn't mean you are immune from common sense.

It just takes down the hubris Google engineers and fanboy had about Chrome's supposedly invincible sandbox architecture

Nothing is invincible, Chrome fanboys and Google engineers know that. I'm sure they appreciate the event, because it gives them more insight. As one of them said a couple of days ago, they hope that Chrome will get pwned, because they need this kind of data to further improve it.

Now if they would only make Chrome as adaptable as Firefox or at least Opera, I would probably use it more...

Also, why is Adblock for Chrome so much less capable than Adblock for Firefox. The more shady sites on the web are almost impossible to browse on Chrome, because of all the pop-ups that get through and the flash layovers. Firefox catches them all.

Troll much? Google itself is interested in knowing about vulnerabilities in its browser, and to that effect they were offering up to $1 million in prizes for successful exploits. That wasn't a display in bravado, even though they have the best track record in all browsers. Every piece of software is potentially exploitable, and to think one is invulnerable would be a big mistake.

With that out of the way, I'm curious: is IE10 in the competition? Is there any notable development in its security other than the fact that the Metro version doesn't allow plugins?

Also, why is Adblock for Chrome so much less capable than Adblock for Firefox. The more shady sites on the web are almost impossible to browse on Chrome, because of all the pop-ups that get through and the flash layovers. Firefox catches them all.

It is not in Google's interest to block so many ads. They needed the revenue it will generate. Mozilla, just got a fix amount like $300M from Google every year, so they are not so hard up for ADs.

CHROME USERS: Turn on Javascript whitelisting. JS whitelist settings are synchronised with everything else. It's very convenient (synchronisation makes it more convenient than "NoScript", except that it doesn't yet allow wildcards to be used in domains/ URLs - NoScript, by contrast, requirest export/ import of whitelists).

Also, why is Adblock for Chrome so much less capable than Adblock for Firefox. The more shady sites on the web are almost impossible to browse on Chrome, because of all the pop-ups that get through and the flash layovers. Firefox catches them all.

Just do what most sensible people do. Modify your hosts file. 127.0.0.1 all the way baby. Works on EVERY browser.

"Vupen co-founder Chaoki Bekrar told ZDNet that "the Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox." "

So even though they cracked it, they gave pops where it was due. It doesn't hide the fact that Chrome was cracked b/c every Chrome install comes with Flash installed even if it is sandboxed by Chrome.

It just takes down the hubris Google engineers and fanboy had about Chrome's supposedly invincible sandbox architecture. It might be better than the others, but it doesn't mean you are immune from common sense.

I would like you to give me references of this hubris by these engineers. it sounds to me that you suffer from some form or sour grapes.

This is the problem with integrating Flash or any plug in into a browser. Google was dumb to do so.Nobody else has done so which tells you something. What was surprising is that the Sandboxing Chrome does was able to be bypassed.

The article should say whether or not Vupen will be releasing the details of their hack to Google, since the terms of Pwn2Own no longer require that.

Also the link to the Google sponsored contest is broken.

Sorry about the broken link, which pointed to previous Ars coverage of the Google-sponsored Pwnium contest. It has been fixed.

A quick correction to your other point: Pwn2Own rules have always required contestants to provide full technical details of the underlying exploit, and yes, Vupen will be complying. Tipping Point says the rules have never required disclosure of sandbox escapes, and Bekrar said he plans to keep those details private.

I sure hope that the Open Web Platform communities have learned well from the security issues with the Flash plugin. If we're going to be exposing things like low-level graphics libraries and persistent data stores to web applications, then we better have a very clever sandbox architecture.

This is a great starting point for Chrome. Hopefully they are able to find ways to avoid exploits that are found. I won't be switching from Firefox, but I still have quite a few friends who use Chrome.

The article should say whether or not Vupen will be releasing the details of their hack to Google, since the terms of Pwn2Own no longer require that.

Also the link to the Google sponsored contest is broken.

Sorry about the broken link, which pointed to previous Ars coverage of the Google-sponsored Pwnium contest. It has been fixed.

A quick correction to your other point: Pwn2Own rules have always required contestants to provide full technical details of the underlying exploit, and yes, Vupen will be complying. Tipping Point says the rules have never required disclosure of sandbox escapes, and Bekrar said he plans to keep those details private.

I can't point to the article - BUT Quitch is correct. There was a reent announcement to the rule changes that stated they are no longer required to disclose their findings - which in fact they were previously requiring. Which is why Google withdrew their sponsorship of the contest.

Also, why is Adblock for Chrome so much less capable than Adblock for Firefox. The more shady sites on the web are almost impossible to browse on Chrome, because of all the pop-ups that get through and the flash layovers. Firefox catches them all.

It is not in Google's interest to block so many ads. They needed the revenue it will generate. Mozilla, just got a fix amount like $300M from Google every year, so they are not so hard up for ADs.

Uh, adblock works just fine. Of course the famous firefox adblock is adblock plus beta on chrome.

The article should say whether or not Vupen will be releasing the details of their hack to Google, since the terms of Pwn2Own no longer require that.

Also the link to the Google sponsored contest is broken.

Sorry about the broken link, which pointed to previous Ars coverage of the Google-sponsored Pwnium contest. It has been fixed.

A quick correction to your other point: Pwn2Own rules have always required contestants to provide full technical details of the underlying exploit, and yes, Vupen will be complying. Tipping Point says the rules have never required disclosure of sandbox escapes, and Bekrar said he plans to keep those details private.

I can't point to the article - BUT Quitch is correct. There was a reent announcement to the rule changes that stated they are no longer required to disclose their findings - which in fact they were previously requiring. Which is why Google withdrew their sponsorship of the contest.

Do a Google Search - you'll find that information all over the place.

Google wrote a blog post (linked to in Ars's previous coverage) that claims the Pwn2Own rues have changed. Tipping Point adamantly insists the rules have *not* changed, and that contestants have never been required to disclose sandbox escapes.

So I think the onus is on you (and Quitch) to support the claim that there's been a change. Google's saying there has been a change doesn't automatically make it so.

Yes, because whether it's secure or not is meaningless when it's essential for full access to the web for the near future accessing literally hundreds of dead-ender sites that somehow don't care that they're blocking hundreds of millions and soon billions(!) of mobile and other users

This is the problem with integrating Flash or any plug in into a browser. Google was dumb to do so.Nobody else has done so which tells you something. What was surprising is that the Sandboxing Chrome does was able to be bypassed.

Give Google a break: “the enemy of my enemy is my friend.” 18 months ago, Adobe was desperate, recognizing that smartphones were fast overtaking PCs in sales [ √ ] and maybe even foresaw that tablets were soon to become individuals' personal machine of choice [ √ ]. Their customer base was clamoring for more features (e.g., 3D) that would make it even more impossible to squeeze Flash into less-than-top-of-the-line smartphones. (My laptop has shown the Flash plugin using more memory [before it crashed] than the original iPhone had in total.)

"Vupen co-founder Chaoki Bekrar told ZDNet that "the Chrome sandbox is the most secure sandbox out there. It’s not an easy task to create a full exploit to bypass all the protections in the sandbox." "

So even though they cracked it, they gave pops where it was due. It doesn't hide the fact that Chrome was cracked b/c every Chrome install comes with Flash installed even if it is sandboxed by Chrome.

It just takes down the hubris Google engineers and fanboy had about Chrome's supposedly invincible sandbox architecture. It might be better than the others, but it doesn't mean you are immune from common sense.

I would like you to give me references of this hubris by these engineers. it sounds to me that you suffer from some form or sour grapes.

Sour grapes? You can waste your time looking up googling old statements by Google Engineers on their various blogs after every prior Pwn2own contest and their reaction to the first Vupen exploit a few months back. Just b/c you stick your fingers in your ears up until now doesn't mean it isn't there and archived.